github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
9384 commits 10 branches 71 tags 33 MiB
Commit graph

134 commits

Author SHA1 Message Date
Kelvin M. Klann
5871b08a41 ci: run for every branch instead of just master 
Having CI always run on WIP branches without having to open a PR
beforehand makes it easier to debug CI issues.

GitHub currently does not have any apparent limit for CI runs and there
are no project-specific secrets as far as I know, so it should be safe
to remove these restrictions.
 2023-05-03 16:32:35 -03:00
Kelvin M. Klann
a2c8a5f03c ci: allow endpoints used in tests 
Relevant lines from build_and_test[1]:

    endpoint called ip address:port 1.1.1.1:1025, domain:
    endpoint called ip address:port 54.185.253.63:43, domain: whois.pir.org.
    ##[error]StepSecurity Harden Runner: DNS resolution for domain dns.quad9.net. was blocked. This domain is not in the list of allowed-endpoints.
    ##[error]StepSecurity Harden Runner: DNS resolution for domain whois.pir.org. was blocked. This domain is not in the list of allowed-endpoints.

The relevant tests were added in the following commits:

* ef4409e7b ("added whois and dig profiles", 2018-08-30)
* 171898233 ("more profile fixes/testing", 2023-01-19)

Relates to #5439 #5485.

[1] https://github.com/netblue30/firejail/actions/runs/4854586882/jobs/8652141329
 2023-05-03 16:21:18 -03:00
dependabot[bot]
b05cd01625 build(deps): bump github/codeql-action from 2.3.0 to 2.3.2 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.0 to 2.3.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b2c19fb9a2...f3feb00acb)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-05-01 10:58:32 +00:00
Kelvin M. Klann
339d395fbd ci: print env-related settings in each job 
To make debugging easier.

Use a separate shell script instead of just a make target to ensure that
it can safely run before ./configure and without having make installed.
 2023-04-28 04:45:57 -03:00
Kelvin M. Klann
fde591c2b7 ci: print some program versions 
To make debugging easier.
 2023-04-28 04:45:57 -03:00
Kelvin M. Klann
fd59df07de ci: line-wrap and split/join some commands 
For increased readability.

Note: `>` basically turns each newline into a space while `|` keeps
newlines as is.  Both remove leading indentation.

Note2: On jobs using `apt-get install`, this commit moves package names
to their own line, to make it easier to compare which packages are being
installed across such jobs.
 2023-04-24 23:29:28 -03:00
Kelvin M. Klann
b9885cd5a7 ci: simplify test steps in build.yml 
Kind of relates to commit 6d0c7514e ("split make test-github into
different actions", 2023-01-31).
 2023-04-24 23:16:48 -03:00
Kelvin M. Klann
3a5774c48c ci: ignore build workflows on more workflows 
This makes each workflow ignore every other workflow.

Relates to #5481.
 2023-04-24 23:16:48 -03:00
dependabot[bot]
9e2e6ce4fb build(deps): bump step-security/harden-runner from 2.3.0 to 2.3.1 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](03bee39306...6b3083af28)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-25 02:15:55 +00:00
dependabot[bot]
3f5b591deb build(deps): bump github/codeql-action from 2.2.12 to 2.3.0 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.12 to 2.3.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7df0ce3489...b2c19fb9a2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-25 02:15:44 +00:00
dependabot[bot]
f1059dae11 build(deps): bump actions/checkout from 3.5.0 to 3.5.2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8f4b7f8486...8e5e7e5ab8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-17 18:16:07 +00:00
dependabot[bot]
51f898b952 build(deps): bump github/codeql-action from 2.2.11 to 2.2.12 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.11 to 2.2.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](d186a2a36c...7df0ce3489)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-17 18:15:17 +00:00
dependabot[bot]
af6ec5d42e build(deps): bump github/codeql-action from 2.2.9 to 2.2.11 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](04df1262e6...d186a2a36c)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-10 09:31:25 +00:00
Kelvin M. Klann
03a1f471c4 ci: fix codeql unable to download its own bundle 
Due to step-security/harden-runner blocking access to
objects.githubusercontent.com.

Log from a recent run of CodeQL[1] [2]:

    ##[group]Setup CodeQL tools
    Did not find CodeQL tools version 2.12.6 in the toolcache.
    Downloading CodeQL tools from https://github.com/github/codeql-action/releases/download/codeql-bundle-20230403/codeql-bundle-linux64.tar.gz. This may take a while.
    connect ECONNREFUSED 54.185.253.63:443
    Waiting 13 seconds before trying again
    connect ECONNREFUSED 54.185.253.63:443
    Waiting 12 seconds before trying again
    ##[error]connect ECONNREFUSED 54.185.253.63:443
    ##[error]Unable to download and extract CodeQL CLI
    Post job cleanup.
    [...]
    Mon, 10 Apr 2023 07:20:18 GMT:endpoint called ip address:port 140.82.112.4:443, domain: github.com.
    Mon, 10 Apr 2023 07:20:20 GMT:endpoint called ip address:port 140.82.112.6:443, domain: api.github.com.
    Mon, 10 Apr 2023 07:20:23 GMT:domain not allowed: objects.githubusercontent.com.
    Mon, 10 Apr 2023 07:20:23 GMT:ip address dropped: 54.185.253.63
    Mon, 10 Apr 2023 07:20:23 GMT:endpoint called ip address:port 140.82.112.4:443, domain: github.com.
    Mon, 10 Apr 2023 07:20:23 GMT:endpoint called ip address:port 54.185.253.63:443, domain: objects.githubusercontent.com.
    Mon, 10 Apr 2023 07:20:35 GMT:domain not allowed: api.snapcraft.io.

[1] https://github.com/netblue30/firejail/pull/5781
[2] https://github.com/netblue30/firejail/actions/runs/4655304231/jobs/8238131624
 2023-04-10 09:23:47 +00:00
dependabot[bot]
7b7ec30de7 build(deps): bump step-security/harden-runner from 2.2.1 to 2.3.0 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](1f99358870...03bee39306)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-10 07:34:54 +00:00
dependabot[bot]
f86299889b build(deps): bump github/codeql-action from 2.2.7 to 2.2.9 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.7 to 2.2.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](168b99b3c2...04df1262e6)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-04-03 08:14:20 +00:00
dependabot[bot]
9c438eff6f build(deps): bump actions/checkout from 3.4.0 to 3.5.0 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](24cb908017...8f4b7f8486)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-27 08:23:23 +00:00
Kelvin M. Klann
ff42f7248b ci: always update the package db before installing packages 
This should fix installing packages on build-extra.yml.

Note that this is already done on build.yml and on gitlab-ci.yml.

From the GitHub Actions documentation[1] [2]:

> Note: Always run `sudo apt-get update` before installing a package. In
> case the `apt` index is stale, this command fetches and re-indexes any
> available packages, which helps prevent package installation failures.

[1] https://docs.github.com/en/actions/using-github-hosted-runners/customizing-github-hosted-runners
[2] https://github.com/actions/runner-images/issues/2924
 2023-03-20 22:09:13 -03:00
dependabot[bot]
913c139686 build(deps): bump actions/checkout from 3.3.0 to 3.4.0 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ac59398561...24cb908017)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-20 17:12:03 +00:00
dependabot[bot]
acd270fd64 build(deps): bump github/codeql-action from 2.2.6 to 2.2.7 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.6 to 2.2.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](16964e90ba...168b99b3c2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-20 17:11:11 +00:00
netblue30
7ab9854072
Merge pull request #5730 from netblue30/dependabot/github_actions/step-security/harden-runner-2.2.1 
build(deps): bump step-security/harden-runner from 2.2.0 to 2.2.1
 2023-03-13 12:51:47 -04:00
dependabot[bot]
229c86efde
build(deps): bump github/codeql-action from 2.2.5 to 2.2.6 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.5 to 2.2.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](32dc499307...16964e90ba)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-13 06:58:10 +00:00
dependabot[bot]
669878ee48
build(deps): bump step-security/harden-runner from 2.2.0 to 2.2.1 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.2.0 to 2.2.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](c8454efe5d...1f99358870)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-13 06:58:06 +00:00
netblue30
c79aa14295 testing 2023-03-09 08:39:25 -05:00
netblue30
acf8efb878 testing 2023-03-08 16:23:30 -05:00
Kelvin M. Klann
b32c5d31fe ci: remove extra space on codespell job 
Added on commit d78fc96ee ("codespell github action", 2023-03-05).
 2023-03-06 04:27:49 -03:00
netblue30
d78fc96ee0 codespell github action 2023-03-05 09:57:04 -05:00
netblue30
1bab42a724 test apparmor 2023-03-04 11:48:00 -05:00
netblue30
5b1d1d5cf1 more testing 2023-03-03 17:05:15 -05:00
netblue30
91235785e0 network testing 2023-03-02 08:19:41 -05:00
netblue30
b50812ff5e appimage testing 2023-03-01 08:52:53 -05:00
netblue30
27c4d069f3 chroot testing 2023-02-28 09:51:26 -05:00
dependabot[bot]
837157f902 build(deps): bump github/codeql-action from 2.2.4 to 2.2.5 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](17573ee1cc...32dc499307)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-27 17:47:51 +00:00
dependabot[bot]
5124d30be5 build(deps): bump step-security/harden-runner from 2.1.0 to 2.2.0 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](18bf8ad2ca...c8454efe5d)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-27 17:47:16 +00:00
netblue30
6dd9bdfd34
Merge pull request #5668 from kmk3/build-deb-apparmor-default 
build: deb: enable apparmor by default & remove deb-apparmor
 2023-02-17 09:16:56 -05:00
Kelvin M. Klann
9837161840 ci: move --prefix configure arg first 
In the `build_and_test` job, to match the common usage.

Added on commit 300efec35 ("let github CI run tests", 2020-10-24).
 2023-02-17 10:29:54 -03:00
netblue30
df6ea884f1 merges, disable sort.py in profile checks temporarely, two more private-etc profiles 2023-02-14 09:17:00 -05:00
dependabot[bot]
29841abd60
build(deps): bump github/codeql-action from 2.2.1 to 2.2.4 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.1 to 2.2.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3ebbd71c74...17573ee1cc)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-02-13 06:58:04 +00:00
netblue30
cb1104edf9 private-etc testing 2023-02-06 22:28:25 -05:00
netblue30
b55cb6a80a testing 2023-01-31 18:56:42 -05:00
netblue30
798031b205 more github tests 2023-01-31 18:12:31 -05:00
netblue30
9b89fa661c test fix 2023-01-31 14:19:48 -05:00
netblue30
6d0c7514ed split make test-github into different actions 2023-01-31 14:10:31 -05:00
netblue30
1e6116cf15 testing sysutils 2023-01-31 11:15:21 -05:00
netblue30
4a5eb61038
Merge pull request #5627 from kmk3/build-autogen-syntax 
build: auto-generate syntax files
 2023-01-30 07:23:27 -05:00
dependabot[bot]
59bf4c0f2f
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.39 to 2.2.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](a34ca99b46...3ebbd71c74)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-30 06:04:59 +00:00
Kelvin M. Klann
56ae3a0111 ci: profile-checks: comment private-etc-always-required.sh 
This check was broken by commit 34d004892 ("private-etc: corss-distro
test for curl, gimp, inkscape, firefox, warzone2100", 2023-01-28).

private-etc is currently being reworked and the files in question may no
longer be required.

Output of running the check:

    $ ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    etc/profile-a-l/curl.profile misses alternatives
    etc/profile-a-l/curl.profile misses ld.so.cache
    etc/profile-a-l/curl.profile misses ld.so.preload
    etc/profile-a-l/firefox-common.profile misses alternatives
    etc/profile-a-l/firefox-common.profile misses ld.so.cache
    etc/profile-a-l/firefox-common.profile misses ld.so.preload
    etc/profile-a-l/gimp.profile misses alternatives
    etc/profile-a-l/gimp.profile misses ld.so.cache
    etc/profile-a-l/gimp.profile misses ld.so.preload
    etc/profile-a-l/inkscape.profile misses alternatives
    etc/profile-a-l/inkscape.profile misses ld.so.cache
    etc/profile-a-l/inkscape.profile misses ld.so.preload
    etc/profile-m-z/warzone2100.profile misses alternatives
    etc/profile-m-z/warzone2100.profile misses ld.so.cache
    etc/profile-m-z/warzone2100.profile misses ld.so.preload

Relates to #4643 #5610.
 2023-01-29 02:25:38 -03:00
Kelvin M. Klann
88ba851893 build: move syntax files to contrib/syntax/files 
Having all of syntax files in the same directory makes it easier to
reference all of them at once on a makefile (such as with
`contrib/syntax/files/*.in`).

Also, this makes the path to the gtksourceview language-spec shorter.
Current path/new path:

* contrib/gtksourceview-5/language-specs/firejail-profile.lang
* contrib/syntax/files/firejail-profile.lang

Currently, adding a rule to the root Makefile to generate the
language-spec in the same directory as an input file would take at least
95 characters (with only a single dependency):

    contrib/gtksourceview-5/language-specs/%.lang: contrib/gtksourceview-5/language-specs/%.lang.in

With this commit, the above shortened to 59 characters:

    contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in

Which should make it more readable.

Relates to #2679 #5502.
 2023-01-27 23:20:40 -03:00
Kelvin M. Klann
cb65de5054 ci: sort items on paths-ignore lists 
See commit 9bf5e453c ("ci: sort items on paths-ignore lists",
2022-07-12) / PR #5481.
 2023-01-27 02:47:21 -03:00
dependabot[bot]
6a0691cc6c build(deps): bump github/codeql-action from 2.1.38 to 2.1.39 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.38 to 2.1.39.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](515828d974...a34ca99b46)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-23 17:15:08 +00:00